Strange problem with pipeline

Demiurg · March 4, 2024, 9:25am

Hi.

My Graylog server (5.2.4) routes logs from sidecar (audibeat) to two streams - streams A and B (by streams rules) and its ok. Stream A should keep oryginal log but stream B should keep only few fields. So I created rules for pipeline like this:

rule “ssh alerts cut”
when
contains(
value: to_string($message.“auditbeat_auditd_data_terminal”),
search: “ssh”,
ignore_case: true
)
AND
contains(
value: to_string($message.“auditbeat_auditd_result”),
search: “fail”,
ignore_case: true
)
then
remove_field(
field : “^(?!auditbeat_event_original$).*$”,
invert : false
);
end

This rules are attached to pipeline to stream B and cut log as I wish… but it turns out that stream A is also cut up and the data in it is exactly the same as in stream B. Why? My message processors order are: 1.Stream Rule Processors 2. Message filter chain 3. Pipeline Processors. Any help please?

patrickmann · March 4, 2024, 11:37am

The same message can be mapped to multiple streams. Routing to a stream does not create a copy. Use the clone_message function to create a copy.

Demiurg · March 11, 2024, 2:29pm

Thx for your explanation. Now I’ve done it a bit roundaboutly using ‘create a new message’ in pipeline.

Topic		Replies	Views
Pipeline rule that route to a stream Graylog Central (peer support)	3	228	March 15, 2024
Pipeline rule to split log messages into key-value fields not working Graylog Central (peer support) pipeline-rules , sidecar , filebeat-linux	21	3869	September 15, 2022
Doing a pipeline rule Graylog Central (peer support)	3	241	January 12, 2024
Pipeline rule not working Graylog Central (peer support) pipeline-rules , route-to-streampl , debuggingpl	7	4014	November 20, 2017
Message in the Stream but not managed by pipeline Graylog Central (peer support) pipeline-rules	4	508	September 10, 2021

Strange problem with pipeline

Related topics